Out-of-Bounds Read Vulnerability in Linux Kernel Affecting USB Gadget Configuration
CVE-2025-38497

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-38497?

A vulnerability in the Linux kernel's USB gadget configuration allows an out-of-bounds read when writing an empty string to certain sysfs attributes. Specifically, the functions handling 'qw_sign' and 'landingPage' failed to validate input length before accessing memory beyond the buffer. This could lead to undefined behavior or potential information leaks. A patch has been applied to the functions that ensures input is checked for zero-length and handles such cases appropriately, enhancing system integrity.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2798111f8e504ac747cce911226135d50b8de468

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 58bdd5160184645771553ea732da5c2887fc9bd1

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 783ea37b237a9b524f1e5ca018ea17d772ee0ea0

References

https://git.kernel.org/stable/c/2798111f8e504ac747cce9112...

https://git.kernel.org/stable/c/58bdd5160184645771553ea73...

https://git.kernel.org/stable/c/783ea37b237a9b524f1e5ca01...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Apr 16, 2025